Professional Documents
Culture Documents
Hooking Candiru
Another Mercenary Spyware Vendor Comes into Focus
By Bill Marczak, John Scott-Railton, Kristin Berdan, Bahr Abdul Razzak, and Ron Deibert
July 15, 2021
Summary
Candiru is a secretive Israel-based company that sells spyware exclusively to governments.
Reportedly, their spyware can infect and monitor iPhones, Androids, Macs, PCs, and cloud
accounts.
Using Internet scanning we identified more than 750 websites linked to Candiru’s spyware
infrastructure. We found many domains masquerading as advocacy organizations such as
Amnesty International, the Black Lives Matter movement, as well as media companies, and other
civil-society themed entities.
We identified a politically active victim in Western Europe and recovered a copy of Candiru’s
Windows spyware.
Working with Microsoft Threat Intelligence Center (MSTIC) we analyzed the spyware, resulting in
the discovery of CVE-2021-31979 and CVE-2021-33771 by Microsoft, two privilege escalation
vulnerabilities exploited by Candiru. Microsoft patched both vulnerabilities on July 13th, 2021.
As part of their investigation, Microsoft observed at least 100 victims in Palestine, Israel, Iran,
Lebanon, Yemen, Spain, United Kingdom, Turkey, Armenia, and Singapore. Victims include
human rights defenders, dissidents, journalists, activists, and politicians.
We provide a brief technical overview of the Candiru spyware’s persistence mechanism and
some details about the spyware’s functionality.
Candiru has made efforts to obscure its ownership structure, staffing, and investment partners.
Nevertheless, we have been able to shed some light on those areas in this report.
1. Who is Candiru?
The company known as “Candiru,” based in Tel Aviv, Israel, is a mercenary spyware firm that markets
“untraceable” spyware to government customers. Their product offering includes solutions for spying
on computers, mobile devices, and cloud accounts.
Figure 1: A distinctive mural of five men with empty heads wearing suits and bowler hats is displayed in this
“Happy Hour” photo a previous Candiru office posted on Facebook by a catering company.1
While the company’s current name is Saito Tech Ltd, we will refer to them as “Candiru” as they are
most well known by that name. The firm’s corporate logo appears to be a silhouette of the reputedly-
gruesome Candiru fish in the shape of the letter “C.”
Candiru has at least one subsidiary: Sokoto Ltd.3 Section 5 provides further documentation of
Candiru’s corporate structure and ownership.
Uzbekistan: In a 2019 presentation at the Virus Bulletin security conference, a Kaspersky Lab
researcher stated that Candiru likely sold its spyware to Uzbekistan’s National Security Service.
Saudi Arabia & the UAE: The same presentation also mentioned Saudi Arabia and the UAE as
likely Candiru customers.
Singapore: A 2019 Intelligence Online report mentions that Candiru was active in soliciting
business from Singapore’s intelligence services.
Qatar: A 2020 Intelligence Online report notes that Candiru “has become closer to Qatar.” A
company linked to Qatar’s sovereign wealth fund has invested in Candiru. No information on
Qatar-based customers has yet emerged,
Like many of its peers, Candiru appears to license its spyware by number of concurrent infections, which
reflects the number of targets that can be under active surveillance at any one instant in time. Like
NSO Group, Candiru also appears to restrict the customer to a set of approved countries.
The €16 million project proposal allows for an unlimited number of spyware infection attempts, but
the monitoring of only 10 devices simultaneously. For an additional €1.5M, the customer can purchase
the ability to monitor 15 additional devices simultaneously, and to infect devices in a single additional
country. For an additional €5.5M, the customer can monitor 25 additional devices simultaneously, and
conduct espionage in five more countries.
Figure 3: Proposal for a Candiru Customer indicating number of concurrent infections under a given contract.
The fine print in the proposal states that the product will operate in “all agreed upon territories, ”then
mentions a list of restricted countries including the US, Russia, China, Israel and Iran. This same list of
restricted countries has previously been mentioned by NSO Group. Nevertheless, Microsoft observed
Candiru victims in Iran, suggesting that in some situations, products from Candiru do operate in re-
stricted territories. In addition, targeting infrastructure disclosed in this report includes domains mas-
querading as the Russian postal service.
The proposal states that the spyware can exfiltrate private data from a number of apps and accounts
including Gmail, Skype, Telegram, and Facebook. The spyware can also capture browsing history and
passwords, turn on the target’s webcam and microphone, and take pictures of the screen. Capturing
data from additional apps, such as Signal Private Messenger, is sold as an add-on.
Figure 4: Customers can pay additional money to capture data from Signal.
For a further additional €1.5M fee, customers can purchase a remote shell capability, which allows
them full access to run any command or program on the target’s computer. This kind of capability is
especially concerning, given that it could also be used to download files, such as planting incriminat-
ing materials, onto an infected device.
While analysis of the extracted spyware is ongoing, this section outlines initial findings about the
spyware’s persistence
Persistence
Candiru’s spyware was persistently installed on the computer via COM hijacking of the following reg-
istry key:
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-
5E7582D8C9FA}\InprocServer32
Normally, this registry key’s value points to the benign Windows Management Instrumentation
wmiutils.dll file, but the value on the infected computer had been modified to point to a malicious DLL
file that had been dropped inside the Windows system folder associated with the Japanese input
method (IMEJP) C:\WINDOWS\system32\ime\IMEJP\IMJPUEXP.DLL. This folder is benign and included
in a default install of Windows 10, but IMJPUEXP.DLL is not the name of a legitimate Windows
component.
When Windows boots, it automatically loads the Windows Management Instrumentation service,
which involves looking up the DLL path in the registry key, and then invoking the DLL.
Of particular note is resource 102, which contains the path to the legitimate wmiutils.dll, which is
loaded after the spyware, ensuring that the COM hijack does not disrupt normal Windows functionality.
Resource 103 points to a file AgentService.dat in a folder created by the spyware,
C:\WINDOWS\system32\config\spp\Licenses\curv\config\tracing\. Resource 105 points to a second file
in the same directory, KBDMAORI.dat.
IMJPUEXP.DLL decrypts and loads the AgentService.dat file whose path is in resource 103, using the
same AES key and IV, and decompresses it via zlib. AgentService.dat file then loads the file in resource
105, KBDMAORI.dat, using a second AES key and IV hardcoded in AgentService.dat, and performs the
decryption using a statically linked OpenSSL. Decrypting KBDMAORI.DAT yields a file with a series of
nine encrypted blobs, each prefixed with an 8-byte little-endian length field. Each blob is encrypted
with the same AES key and IV used to decrypt KBDMAORI.DAT, and is then zlib compressed.
The first four encrypted blobs appear to be DLLs from the Microsoft Visual C++ redistributable:
vcruntime140.dll, msvcp140.dll, ucrtbase.dll, concrt140.dll. The subsequent blobs are part of the spy-
ware, including components that are apparently called Internals.dll and Help.dll. Both the Microsoft
DLLs and the spyware DLLs in KBDMAORI.DAT are lightly obfuscated. Reverting the following modifica-
tions makes the files valid DLLs:
1. The first two bytes of the file (MZ) have been zeroed.
2. The first 4 bytes of NT header (\x50\x45\x00\x00) have been zeroed.
3. The first 2 bytes of the optional header (\x0b\x02) have been zeroed.
4. The strings in the import directory have been XOR obfuscated, using a 48-byte XOR key
hardcoded in AgentService.dat:
6604F922F90B65F2B10CE372555C0A0C0C5258B6842A83C7DC2EE4E58B363349F496E6B6A587A88D0164B74DA
B9E6B58
The final blob in KBDMAORI.DAT is the spyware’s configuration in JSON format. The configuration is
somewhat obfuscated, but clearly contains Base64 UTF-16 encoded URLs for command-and-control.
https://msstore[.]io
https://adtracker[.]link
https://cdnmobile[.]io
All three domain names pointed to 185.181.8[.]155. This IP address was connected to three other IPs
that matched our Candiru fingerprint CF1 (Section 3).
Spyware Functionality
We are still reversing most of the spyware’s functionality, but Candiru’s Windows payload appears to
include features for exfiltrating files, exporting all messages saved in the Windows version of the popu-
lar encrypted messaging app Signal, and stealing cookies and passwords from Chrome, Internet
Explorer, Firefox, Safari, and Opera browsers. The spyware also makes use of a legitimate signed third-
party driver, physmem.sys:
c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d
Microsoft’s analysis also established that the spyware could send messages from logged-in email and
social media accounts directly on the victim’s computer. This could allow malicious links or other mes-
sages to be sent directly from a compromised user’s computer. Proving that the compromised user did
not send the message could be quite challenging.
Additionally, based on our analysis of Internet scanning data, we believe that there are Candiru sys-
tems operated from Saudi Arabia, Israel, UAE, Hungary, and Indonesia, among other countries.
Censys data records that a total of six IP addresses returned this certificate: 151.236.23[.]93,
69.28.67[.]162, 176.123.26[.]67, 52.8.109[.]170, 5.135.115[.]40, 185.56.89[.]66. The latter four of these IP
addresses subsequently returned another certificate, which we fingerprinted (Fingerprint CF1) based
on distinctive features. We searched Censys data for this fingerprint.
SELECT parsed.fingerprint_sha256
FROM`censys-io.certificates_public.certificates`
AND parsed.extensions.basic_constraints.is_ca
We found 42 certificates on Censys matching CF1. We observed that six IPs matching CF1 certificates
later returned certificates that matched a second fingerprint we devised, CF2. The CF2 fingerprint is
based on certificates that match those generated by a “Fake Name” generator. We first ran an SQL
query on Censys data for the fingerprint, and then filtered by a list of fake names.
FROM`censys-io.certificates_public.certificates`
CN=[a-z]+\.(com|net|org)+$")
AND parsed.extensions.basic_constraints.is_ca
The SQL query yielded 572 results. We filtered the results, requiring the TLS certificate’s organization in
the parsed.subject_dn field to contain an entry from the list of 475 last names in the Perl Data-Faker
module. We suspect that Candiru is using either this Perl module, or another module that uses the
same word list, to generate fake names for TLS certificates. Neither the Perl Data-Faker module, nor
other similar modules (e.g., the Ruby Faker Gem, or the PHP Faker module) appear to have built-in
functionality for generating fake TLS certificates. Thus, we suspect that the TLS certificate generation
code is custom code written by Candiru. After filtering, we found 542 matching certificates.
We then developed an HTTP fingerprint, called BRIDGE, with which we scanned the Internet and built
a third TLS fingerprint, CF3. We are keeping the BRIDGE and CF3 fingerprints confidential for now in
order to maintain visibility into Candiru’s infrastructure.
Google also linked a further Microsoft Office exploit they observed (CVE-2021-33742) to the same
operator.
Targeting Themes
Examination of Candiru’s targeting infrastructure permits us to make guesses about the location of po-
tential targets, and topics and themes that Candiru operators believed that targets would find relevant
and enticing.
Some of the themes strongly suggest that the targeting likely concerned civil society and political ac-
tivity. This troubling indicator matches with Microsoft’s observation of the extensive targeting of mem-
bers of civil society, academics, and the media with Candiru’s spyware. We observed evidence of tar-
geting infrastructure masquerading as media, advocacy organizations, international organizations,
and others (see: Table 4).
We found many aspects of this targeting concerning, such as the domain blacklivesmatters[.]info,
which may be used to target individuals interested in or affiliated with this movement. Similarly, infra-
structure masquerading as Amnesty International and Refugee International are troubling, as are
lookalike domains for the United Nations, World Health Organization, and other international organi-
zations. We also found the targeting theme of gender studies (e.g. womanstudies[.]co &
genderconference[.]org) to be particularly interesting and warranting further investigation.
cnn24-7[.]online CNN
rasef22[.]com Raseef22
france-24[.]news France 24
cortanaupdates[.]com Microsoft
googlplay[.]store Google
apple-updates[.]online Apple
amazon-cz[.]eu Amazon
Tech Companies
drpbx-update[.]net Dropbox
lenovo-setup[.]tk Lenovo
konferenciya-zoom[.]com Zoom
zcombinator[.]co Y Combinator
linkedin-jobs[.]com LinkedIn
faceb00k-live[.]com Facebook
twitt-live[.]com Twitter
youtubee[.]life YouTube
A range of targeting domains appears to be reasonably country-specific (see: Table 5). We believe these
domain themes indicate likely countries of targets and not necessarily the countries of the operators
themselves.
Palestine lwaeh-iteham-alasra[.]com Website that publishes Israeli court indictments of Palestinian prisoners
Saudi Arabia mbsmetoo[.]com Website for “an international campaign to support the case of Jamal Khash
4. A Saudi-Linked Cluster?
A document was uploaded from Iran to VirusTotal that used an AutoOpen Macro to launch a web
browser, and navigated the browser to the URL https://cuturl[.]space/lty7uw, which VirusTotal
recorded as redirecting to a URL, https://useproof[.]cc/1tUAE7A2Jn8WMmq/api, that mentions a do-
main we linked to Candiru, useproof[.]cc. The domain useproof[.]cc pointed to 109.70.236.107, which
matched our fingerprint CF3.
The document was blank, except for a graphic containing the text “Minister of Foreign Affairs of the
Islamic Republic of Iran.”
Figure 7: A document that loads a Candiru URL was uploaded to VirusTotal from Iran, and includes a header image
referencing the Minister of Foreign Affairs.
We fingerprinted the behaviour of cuturl[.]space and traced it to five other URL shorteners: llink[.]link,
instagrarn[.]co, cuturl[.]app, url-tiny[.]co, and bitly[.]tel. Interestingly, several of these domains were
flagged by a researcher at ThreatConnect in two tweets, based on suspicious characteristics of their
registration. We suspect that the AutoOpen format and the URL shorteners may be unique to a particu-
lar Candiru client.
A Saudi Twitter user contacted us and reported that Saudi users active on Twitter were receiving mes-
sages with suspicious short URLs, including links to the domain name bitly[.]tel. Given this, we suspect
that the URL shorteners may be linked to Saudi Arabia.
Besides Amit Ron ()רון עמית, the Universal Motors Israel representative, Candiru’s board as of December
2020 includes Isaac Zack, Ya’acov Weitzman, and Eran Shorer.
In addition to the involvement of Zack, Candiru shares other points of commonality with NSO Group,
including representation by the same law firm and utilization of the same employee equity and trust
administration services company.
6. Conclusion
Candiru’s apparent widespread presence, and the use of its surveillance technology against global civil
society, is a potent reminder that the mercenary spyware industry contains many players and is prone
to widespread abuse. This case demonstrates, yet again, that in the absence of any international safe-
guards or strong government export controls, spyware vendors will sell to government clients who will
routinely abuse their services. Many governments that are eager to acquire sophisticated surveillance
technologies lack robust safeguards over their domestic and foreign security agencies. Many are char-
acterized by poor human rights track records. It is not surprising that, in the absence of strong legal re-
straints, these types of government clients will misuse spyware services to track journalists, political
opposition, human rights defenders, and other members of global civil society.
Equally disturbing in this regard is Candiru’s registration of domains impersonating human rights
NGOs (Amnesty International), legitimate social movements (Black Lives Matter), international health
organizations (WHO), women’s rights themes, and news organizations. Although we lack context
around the specific use cases connected to these domains, their mere presence as part of Candiru’s in-
frastructure—in light of widespread harms against civil society associated with the global spyware in-
dustry—is highly concerning and an area that merits further investigation.
It is worth noting the growing risks that spyware vendors and their ownership groups themselves face
as a result of their own reckless sales. Mercenary spyware vendors like Candiru market their services to
their government clients as “untraceable” tools that evade detection and thus prevent their clients’ op-
erations from being exposed. However, our research shows once again how specious these claims are.
Although sometimes challenging, it is possible for researchers to detect and uncover targeted espi-
onage using a variety of networking monitoring and other investigative techniques, as we have demon-
strated in this report (and others like it). Even the most well-resourced surveillance companies make
operational mistakes and leave digital traces, making their marketing claims about being stealthy and
undetectable highly questionable. To the extent that their products are implicated in significant harms
or cases of unlawful targeting, the negative exposure that comes from public interest research may cre-
ate significant liabilities for ownership, shareholders, and others associated with these spyware
companies.
Finally, this case shows the value of a community-wide approach to investigations into targeted espi-
onage. In order to remedy the harms generated by this industry for innocent members of global civil
society, cooperation among academic researchers, network defenders, threat intelligence teams, and
technology platforms is critical. Our research drew upon multiple data sources curated by other groups
and entities with whom we cooperated, and ultimately helped identify software vulnerabilities in a
widely used product that were reported to and then patched by its vendor.
Acknowledgements
Thanks to Microsoft and Microsoft Threat Intelligence Center (MSTIC) for their collaboration, and for
working to quickly address the security issues identified through their research.
We are especially grateful to the targets that make the choice to work with us to help identify and ex-
pose the entities involved in targeting them. Without their participation this report would not have
been possible.
Thanks to Team Cymru for providing access to their Pure Signal Recon product. Their tool’s ability to
show Internet traffic telemetry from the past three months provided the breakthrough we needed to
identify the initial victim from Candiru’s infrastructure
Funding for this project was provided by a generous grant from the John D. and Catherine T. MacArthur
Foundation, the Ford Foundation, Oak Foundation, Sigrid Rausing Trust, and Open Societies
Foundation.
Thanks to Miles Kenyon, Mari Zhou, and Adam Senft for communications, graphics, and organizational
support.
2. 2. Data based on a review of the portfolio for company registration number 515126605 in the
Israeli Corporations Authority online database. ↩
3. 3. Incorporated 14 Mar 2020, registration number 515996981, same registered address as Saito
Tech. The name “Sokoto” may refer to a city in Nigeria. ↩
4. 4. Kaspersky calls this group FruityArmor. ↩
Tags: Share:
Candiru, Civil Society, Cybersecurity, spyware, Targeted Threats
RESEARCH
Targeted Threats
Free Expression Online
Transparency and Accountability
App Privacy and Controls
Global Research Network
Tools & Resources
All Publications
NEWS
In the Media
Events
Opportunities
Newsletter Archives
ABOUT
CONNECT
NEWSLETTER
Your email address Sign up
Privacy Policy
Unless otherwise noted this site and its contents are licensed under a Creative Commons Attribution
2.5 Canada license.